[Git][security-tracker-team/security-tracker][master] Add CVE-2026-33416/libpng1.6

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
131d4c7e by Salvatore Bonaccorso at 2026-03-26T12:35:18+01:00
Add CVE-2026-33416/libpng1.6

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,3 +1,11 @@
+CVE-2026-33416 [Use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`]
+	- libpng1.6 <unfixed>
+	NOTE: https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j
+	NOTE: https://github.com/pnggroup/libpng/pull/824
+	NOTE: Fixed by: https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb (v1.6.56)
+	NOTE: Fixed by: https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25 (v1.6.56)
+	NOTE: Fixed by: https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667 (v1.6.56)
+	NOTE: Fixed by: https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1 (v1.6.56)
 CVE-2026-33636 [Out-of-bounds read/write in the palette expansion on ARM Neon]
 	- libpng1.6 <unfixed>
 	NOTE: https://github.com/pnggroup/libpng/security/advisories/GHSA-wjr5-c57x-95m2



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/131d4c7ec9f385631ac568dbaa417697b678d9e3

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/131d4c7ec9f385631ac568dbaa417697b678d9e3
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260326/346be900/attachment.htm>